RHEL / CentOS / Fedora: Verify GPG Key For Package Update

How do I verify that the system using correct GPG keys to verify all patches, packages and update installed from RHN or repo under RHEL 5 or 6 server operating systems? All packages can be cryptographically verified using the rpm / yum and gpg command itself. You need to use /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release file. All packages from RHN or 3rd party Fedora Linux repo are signed with a GPG signature. The yum command will verify these signatures and refuse to install any packages that are not signed or have bad signatures. This make sure that the packages from RHN was provided by the Red Hat, Inc and have not been modified by anyone else.

Verify Installed Keys

To verify that the keys installed on your RHEL server system match the key listed here, use GnuPG to check that the fingerprint of the key matches:# gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Sample outputs: